RE: authenticating users with php&mysql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



That is incrediably risky since you are exposing the entire db for those users. What about setting [limited] permissions for those users?

I woul move to a table based authentication, where you have a users table and one [or more] mysql accounts with the bare minimum privileges to allow the user to run the application. The below table structure could be the bare minimum.

CREATE TABLE `users` (
 `user_id` int(10) NOT NULL auto_increment,
 `user_name` varchar(50) NOT NULL default '',
 `user_password` varchar(50) NOT NULL default '',
 PRIMARY KEY  (`user_id`)
) TYPE=MyISAM AUTO_INCREMENT=1 ;

Then your code would besomething like this: (note there should be way more validation of the username and password before attempting to execute the query)

<html>
<head><title>MySQL Connection</title></head>
<body>
<div align="centre">
<form action="<?php echo $_SERVER[PHP_SELF];?>" method="POST">
Name: <input type="text" name="txt_name"> 
Password: <input type="password" name="txt_password"> 
<br /><input type="submit" value="Submit">
</div>
</form>
</body>
</html>
<?php


   $user_name = @$_POST['txt_name'];
   $user_pass = @$_POST['txt_password'];

   if ((trim($user_name) = "")&&(trim($user_pass) = ""))
   {
     echo "User not authorized. HIt the back button to login again";
     die();
   }//end if

   $db_host = "localhost";
   $db_user = $account_name;
   $db_password = $account_password;
   $db_name = "data";

$connection = @mysql_connect ($db_host, $db_user,$db_password) or die ("error connecting");
echo "connection successful!";


$sql = "select * from users where user_name =$user_name and user_password = '$user_pass'";
$result = mysql_query($sql) or die("Can't query because ".mysql_error());
if (mysql_num_rows($result)==1)
{
echo "User auhorized";
}else{
echo "User not authorized. HIt the back button to login again";
}//end if


?>

hth

Bastien



From: "it clown" <php5@xxxxxxxxxxxxx>
To: php-db@xxxxxxxxxxxxx
Subject:  authenticating users with php&mysql
Date: Wed, 26 Jan 2005 12:44:38 +0200

Hi All,

I am trying to create a page with 2 text boxes a name and a
password with a submit button.The user must enter his
username and password that is stored in mysql to access the
site.

With the following code i get a successfull connection with
a blank username and password but when i enter a wrong
username and password i get a error that is correct.

<html>
   <head><title>MySQL Connection</title></head>
      <body>
         <div align="centre">
            <form action="<?php echo $_SERVER[PHP_SELF];
?>" method="POST">
               Name: <input type="text"
name="txt_name">&nbsp;
               Password: <input type="text"
name="txt_password">&nbsp;
               <br /><input type="submit" value="Submit">
         </div>
            </form>
       </body>
</html>
<?php
   $db_host = "localhost";
   $db_user = $_POST["txt_name"];
   $db_password = $_POST["txt_password"];
   $db_name = "data";
   $connection = @mysql_connect ($db_host, $db_user,
$db_password) or die ("error connecting");
   echo "connection successful!";
?>

What is the best way to authenticate users against mysql
for login?

Regards
______________________________________________________________
http://www.webmail.co.za the South African FREE email service

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux